The HIPAA Privacy Rule And Its Impact On Agents And Employers

1
The HIPAA Privacy RuleAnd Its Impact On Agents
And Employers
National Association of Health
Underwriters Capitol Conference March 23,
2003 Joseph T. Holahan, JD Morris, Manning
Martin, LLP Washington, DC 202.408.0705 jholahan_at_m
mmlaw.com
2
Road Map

• Overview of the HIPAA Privacy Rule
• Covered entities and products
• Compliance deadlines
• General requirements
• Impact on agents
• Business associate contract
• Disclosures to agents by insurers
• Impact on employers

3
Covered Entities

• Health plans
• Health care providers engaging standard
  electronic transactions
• Health care clearinghouses

4
Health PlansProvide or Pay Cost of Medical Care

• Health insurance issuers and HMOs
• Issuers of Medicare supplemental policies
• Issuers of long-term care policies (except
  nursing home fixed-indemnity policies)
• Group health plans (except self-administered with
  fewer than 50 participants)
• MEWAs
• State high risk pools
• Medicare, MedicareChoice, CHAMPUS and certain
  other programs
• Any other individual or group health plan that
  provides or pays for the cost of medical care

5
Covered Products

• Major medical
• HMO
• Dental and vision
• Most long-term care
• Medicare supplemental
• MedicareChoice

6
Excluded Products

• Life
• Accident only
• Disability income
• Coverage issued as supplement to liability
  insurance
• Liability insurance, including general liability
  and auto liability insurance
• Auto medical payment
• Credit-only
• Coverage for on-site medical clinics

7
Gray Area

• Specified disease
• Hospital indemnity

8
Compliance Deadlines

• Most health insurance issuers and HMOs and any
  group health plansApril 14, 2003
• Small health plans (annual receipts of 5 million
  or less)April 14, 2004

9
General Requirements

• Restricts use and disclosure of protected health
  information (PHI) without written authorization
• Minimum necessary standard
• Individual Rights
• Restrictions on use and disclosure
• Access
• Accounting of disclosures
• Amendment
• Business associate contracts
• Amend group health plan documents in some cases
  to impose requirements on sponsor

10
General Requirements, Cont.

• Notice of privacy practices
• Administrative requirements, including
• Privacy officer
• Privacy contact office
• Privacy policies and procedures
• Trainingworkforce only

11
Permitted Uses and Disclosures

• Pursuant to written authorization compliant with
  HIPAA
• For treatment, payment or health care operations
• To individual or personal representative
• Friend, family member or other person identified
  by individual with written or oral agreement
• Required by law
• Regulators
• Judicial and administrative proceedings
• Law enforcement
• To health oversight agency as authorized by law

12
Permitted Uses and DisclosuresHealth Care
Operations

• Health care operations include
• Activities by or on behalf of health plan
  relating to the creation, renewal or replacement
  of a contract for health insurance or health
  benefits
• Customer service by or on behalf of health plan

13
Permitted Uses and DisclosuresPayment

• Payment includes
• Activities by or on behalf of health plan to
  determine eligibility or coverage
• Claims management by on behalf of health plan

14
Disclosure By Health Plan To Agent

• Payment or health care operations
• Friend, family member or other person identified
  by individual
• PHI directly relevant to persons involvement in
  individuals health care
• Written or oral agreement, opportunity to
  object and no objection or reasonable inference
  of no objection based on professional judgment
• Written authorization

15
Required Uses and Disclosures

• Individual access to PHI
• Secretary of DHHS for investigating covered
  entitys compliance

16
Required Elements of the Business Associate
AgreementPart I

• Establish permitted and required uses and
  disclosures of PHI by business associate
• May not authorize the business associate to use
  or disclose information in a way that would
  violate the Privacy Rule if done by covered
  entity, with exceptions where necessary for
  business associates management and
  administration and for data aggregation services

17
Required Elements of the Business Associate
AgreementPart II

• Provide that the business associate will
• Not further use or disclose PHI other than as
  permitted or required by law
• Use appropriate safeguards to prevent use or
  disclosure other than as provided by the
  agreement
• If aware of any use or disclosure not provided by
  the agreement, report it to covered entity
• Ensure that any agents, including subcontractors,
  to whom it provides PHI agree to same restrictions

18
Required Elements of the Business Associate
AgreementPart III

• Provide that the business associate will
• Make PHI available for access by the individual
• Make PHI available for amendment and incorporate
  any amendments
• Make PHI available to provide an accounting of
  disclosures
• Make its internal practices, books, and records
  available to DHHS for investigating covered
  entitys compliance

19
Required Elements of the Business Associate
AgreementPart IV

• At termination of contract, if feasible, return
  or destroy all PHI received from covered entity
  or created or received on behalf of covered
  entity and retain no copies.
• If return or destruction not feasible, extend
  protections of contract to information retained
  and limit use and disclosure to purposes for
  which information must be retained.

20
Permitted Elements of the Business Associate
Agreement

• May permit the business associate to use and
  disclose PHI as necessary for
• Management and administration of its business
  and
• To carry out its legal responsibilities
• But unless disclosure required by law, business
  associate must obtain reasonable assurances
  from person to whom PHI is disclosed that
• PHI will be held confidentially
• PHI will be further disclosed only as required by
  law or for purpose for which it was disclosed to
  the person and
• Person will notify business associate of any
  known breach of confidentiality

21
Breach of Business Associate ContractRequired
Action By Covered Entity

• Take reasonable steps to cure the breach
• If unsuccessful, terminate contract if feasible
• If termination not feasible, report problem to
  DHHS
• To extent practicable, mitigate any known harm
  from violation

22
Group Health Plans

• Self-insured plansall of the Privacy Rules
  provisions apply, including
• Provide privacy notice
• Implement policies and procedures
• Train workforce
• Plans offering flexible savings accountsmay need
  to treat as a self-insured plan
• Insured plansdepends on how much PHI created or
  received from issuer or HMO

23
Insured Group Health Plans

• If group health plan creates or receives only
  summary PHI and information about whether
  individual has enrolled or disenrolled, duties
  greatly reducedfor example
• No notice required
• No need for written policies and procedures
• No training required
• If group health plan creates or receive other
  PHI, then
• Must maintain notice and provide on request
• All other requirements of Privacy Rule apply

24
Plan Sponsor

• No requirements, if plan sponsor only receives
• Summary PHI for purpose of obtaining premium
  bids or modifying, amending or terminating plan
• Information on whether individual has enrolled or
  disenrolled or
• PHI disclosed pursuant to a written authorization
• If sponsor receives other PHI, must amend plan
  documents and group health plan must receive
  written certification of amendment and give notice

25
Amendment of Group Health Plan Documents

• Much like business associate contract, with added
  provisions
• Not use or disclose PHI for employment-related
  actions and decisions
• Not use or disclose PHI in connection with any
  other benefit or employee benefit plan of sponsor
• Ensure adequate separation between group health
  plan and sponsor

26
Adequate Separation

• Describe employees or classes of employees and
  other persons under control of plan sponsor with
  access to PHI
• Restrict access to and use of PHI by employees
  and other persons to plan administration
  functions
• Provide effective mechanism for resolving issues
  of noncompliance by employees and persons with
  access to PHI

27
The HIPAA Privacy RuleAnd Its Impact On Agents
And Employers
National Association of Health
Underwriters Capitol Conference March 23,
2003 Joseph T. Holahan, JD Morris, Manning
Martin, LLP Washington, DC 202.408.0705 jholahan_at_m
mmlaw.com